What ISO 27001 certification really means at SpaceTime

Information security has a reputation problem. It often sounds either painfully abstract or aggressively technical, and occasionally both at the same time.

ISO/IEC 27001 takes a different approach. Instead of asking which tools you use, it asks how your organisation actually behaves when information is created, shared, stored, and sometimes mishandled. It focuses on your day to day operations; on what happens on average Tuesdays.

We are proud to share that SpaceTime is now ISO/IEC 27001 certified, following an independent audit by West Assured. This certification confirms that information security at SpaceTime is managed in a structured, documented, and continuously improving way.

So what does that look like in practice? Let’s have a look.

From “we’re careful” to “this is how we do it”

Most organisations would say they take information security seriously. ISO 27001 replies, “Ok, now prove it”

For SpaceTime, this meant clearly defining what information needs protection and why. Operational data, partner information, internal systems, and documentation are not all treated the same way. Each has defined handling rules that explain where it can live, who can access it, and what happens if something changes. Instead of relying on shared understanding or (inhumanely) good memory, these rules are written down, reviewed, and followed. This removes guesswork and makes secure behaviour the default rather than something people have to remember to do. 

Suspicious activity, access denied!

At SpaceTime, access to systems and information is based on what someone actually needs to do their job. When roles change, access is reviewed. When access is no longer needed, it is removed. This sounds obvious, but in reality it is one of the most effective ways to reduce risk.

If something ever does go wrong, limited access also limits impact. Fewer open doors means fewer problems to clean up later.

Planning for boring problems, not just dramatic ones

Humans are the biggest risk for security incidents. Until we all are replaced by AI (which hopefully is never), there is no way around it. 

ISO 27001 does not assume that security incidents only come from dramatic external attacks, but it is equally concerned with everyday issues such as lost devices, system outages, or suppliers changing how they operate. 

This means asking questions in advance. What happens if a system is unavailable for a day? What information would be affected? Who needs to be informed? What steps should be taken first? At SpaceTime, these scenarios are considered, documented, and reviewed. The goal is not to predict every possible issue, but to avoid panic and improvisation when something unexpected happens.

Clear ownership and responsibilities 

People are trained to recognise security risks in the context of their actual work, not through abstract theory that barely sticks. Processes are designed so that secure choices are the easiest choices. Responsibilities are clear, so decisions are not delayed by uncertainty about ownership.

When new tools or services are introduced, security is part of the conversation from the start. Questions about data handling, access, and long term reliability are built into decision making rather than added at the end when it is harder to change the way someone is used to operating. It’s like trying to teach your grandma how to use an iPhone: Learning would have been much faster if she had it growing up.

Big milestone!

ISO/IEC 27001 certification is not something you print once and forget about. It requires ongoing internal reviews, regular risk assessments, and annual external audits. In practical terms, this means that SpaceTime keeps improving every month and every year.. As systems evolve and ways of working change, our information security practices are reviewed and adjusted to match whatever is going on in the world and what needs extra attention.

For our team, partners, and collaborators, ISO 27001 certification is a signal of how seriously we take responsibility. We promise to secure the critical data of Europe, and the way we operate inside the company has always reflected that as well. Now we also have a certification to show off.

But of course, trust is rarely created by big promises. It is built through consistent, repeatable behaviour over time. ISO/IEC 27001 gives us a framework to do exactly that. Achieving this certification is an important milestone for SpaceTime. It is also a commitment we continue to uphold as we grow, learn, and refine how we work. 

If you have any questions regarding our information security policies, reach out to hello@spacetime.eu. We’re always here to help!